A third way of maintaining state is
to use Netscape persistent cookies. One of the features of the Netscape
Navigator browser is the capability to store information on the
client side. It does this by accepting a new Set-Cookie header from CGI programs,
and passing that information back using a HTTP_COOKIE environment variable.
We won't show a complete example, but we'll illustrate briefly.

A program that stores the information on the client side might
begin as follows:

The Set-Cookie header sets one cookie on
the client side, where a key is equal to a value. The expires
attribute allows you to set an expiration date for the cookie. The
path attribute specifies the subset of URLs that
the cookie is valid for. In this case, the cookie is valid and can
be retrieved by any program served from the document root hierarchy.
Finally, the domain attribute sets the domain
for which the cookie is valid. For example, say a cookie labeled
"Parts" is set with a domain attribute of "bu.edu".
If the user accesses a URL in another domain that tries to retrieve
the cookie "Parts," it will be unable to do so. You can also use
the attribute secure to instruct the browser
to send a cookie only on a secure channel (e.g., Netscape's HTTPS
server). All of these attributes are optional.

Now, how does a program access the stored cookies? When a
certain document is accessed by the user, the browser will send
the cookie information--provided that it is valid to do so--as the
environment variable HTTP_COOKIE. For example,
if the user requests a document for which the cookie is valid before
the cookie expiration date, the following information might be stored
in HTTP_COOKIE:

Full%20Name=Shishir%20Gundavaram; Specification=CGI%20Book

Cookies are separated from the next by the "
; " delimiter. To decode this information
and place it into an associative array, we can use the following
subroutine:

Now, if the user requests the URL in the path /images,
HTTP_COOKIE will contain:

Computer=SUN; Computer=AIX

There are a couple of disadvantages with this client-side
approach to storing information. First, the technique only works
for Netscape Navigator browsers. Second, there are restrictions
placed on the cookie size and number of cookies. The information
contained in each cookie cannot exceed 4KB, and only 20 cookies
are allowed per domain. A total of 300 cookies can be stored by
each user.